Bird
Raised Fist0
AWScloud~5 mins

Security groups vs NACLs decision in AWS - CLI Comparison

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you want to control who can talk to your cloud servers, you use security groups and network ACLs. They both protect your network but work in different ways and places.
When you want to control traffic to and from individual cloud servers (instances).
When you need to set rules that apply to all servers in a subnet.
When you want to allow only certain IP addresses to access your web app.
When you want to block specific IP addresses from reaching your network.
When you want to add an extra layer of protection by combining both controls.
Commands
This command shows the rules of the security group named 'my-app-sg' to understand what traffic is allowed.
Terminal
aws ec2 describe-security-groups --group-names my-app-sg
Expected OutputExpected
{ "SecurityGroups": [ { "GroupName": "my-app-sg", "GroupId": "sg-0abc1234def567890", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ] } ] }
--group-names - Specify the name of the security group to describe
This command shows the rules of the network ACL named 'my-app-nacl' to see what traffic is allowed or denied at the subnet level.
Terminal
aws ec2 describe-network-acls --filters Name=tag:Name,Values=my-app-nacl
Expected OutputExpected
{ "NetworkAcls": [ { "NetworkAclId": "acl-0abc1234def567890", "Entries": [ { "RuleNumber": 100, "Protocol": "6", "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 80, "To": 80 } }, { "RuleNumber": 110, "Protocol": "-1", "RuleAction": "deny", "Egress": false, "CidrBlock": "192.168.1.0/24" } ] } ] }
--filters - Filter network ACLs by tag name
This command adds a rule to the security group to allow SSH access only from the IP range 203.0.113.0/24.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0abc1234def567890 --protocol tcp --port 22 --cidr 203.0.113.0/24
Expected OutputExpected
No output (command runs silently)
--group-id - Specify the security group ID to update
--protocol - Specify the protocol for the rule
--port - Specify the port number to allow
--cidr - Specify the IP range allowed
This command adds a rule to the network ACL to deny inbound SSH traffic from all IP addresses, blocking it at the subnet level.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0abc1234def567890 --rule-number 120 --protocol 6 --port-range From=22,To=22 --egress false --rule-action deny --cidr-block 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--network-acl-id - Specify the network ACL ID to update
--rule-number - Set the priority of the rule
--protocol - Specify the protocol (6 means TCP)
--port-range - Specify the port range for the rule
--egress - Set to false for inbound rules
--rule-action - Set to deny to block traffic
--cidr-block - Specify the IP range to block
Key Concept

If you remember nothing else from this pattern, remember: security groups control traffic at the server level and allow only what you permit, while network ACLs control traffic at the subnet level and can explicitly allow or deny traffic.

Common Mistakes
Trying to allow traffic in a network ACL without allowing it in the security group.
Security groups are stateful and must allow the traffic for it to reach the server, so network ACLs alone are not enough.
Always configure security groups to allow desired traffic in addition to network ACL rules.
Using the same rule number for multiple network ACL entries.
Rule numbers must be unique to avoid conflicts and unexpected behavior.
Assign unique rule numbers for each network ACL entry.
Assuming network ACLs are stateful like security groups.
Network ACLs are stateless, so you must create separate rules for inbound and outbound traffic.
Create matching inbound and outbound rules in network ACLs to allow return traffic.
Summary
Use 'aws ec2 describe-security-groups' to check server-level traffic rules.
Use 'aws ec2 describe-network-acls' to check subnet-level traffic rules.
Add or update rules with 'authorize-security-group-ingress' for security groups and 'create-network-acl-entry' for network ACLs.
Remember security groups are stateful and network ACLs are stateless with unique rule numbers.

Practice

(1/5)
1. Which statement best describes the main difference between AWS Security Groups and Network ACLs (NACLs)?
easy
A. Security Groups control subnet-level traffic; NACLs control instance-level traffic.
B. Security Groups are stateful and control instance-level traffic; NACLs are stateless and control subnet-level traffic.
C. Both Security Groups and NACLs are stateful and control instance-level traffic.
D. NACLs are stateful and control instance-level traffic; Security Groups are stateless and control subnet-level traffic.

Solution

  1. Step 1: Understand Security Groups behavior

    Security Groups are stateful, meaning they remember allowed connections and automatically allow return traffic. They work at the instance level.

  2. Step 2: Understand NACLs behavior

    NACLs are stateless, so they do not remember previous traffic and require explicit rules for both inbound and outbound traffic. They apply at the subnet level.

  3. Final Answer:

    Security Groups are stateful and control instance-level traffic; NACLs are stateless and control subnet-level traffic. -> Option B

  4. Quick Check:

    Stateful = Security Groups, Stateless = NACLs [OK]
Hint: Security Groups = instance + stateful; NACLs = subnet + stateless [OK]
Common Mistakes:
  • Confusing which is stateful or stateless
  • Mixing instance-level and subnet-level controls
  • Assuming both control the same traffic scope
2. Which of the following is the correct way to allow inbound HTTP traffic on port 80 using a Security Group rule in AWS?
easy
A. Allow outbound TCP traffic on port 80 from 0.0.0.0/0
B. Allow inbound UDP traffic on port 80 from 0.0.0.0/0
C. Allow inbound TCP traffic on port 80 from 0.0.0.0/0
D. Allow inbound TCP traffic on port 22 from 0.0.0.0/0

Solution

  1. Step 1: Identify correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80, so the rule must allow inbound TCP traffic on port 80.

  2. Step 2: Confirm direction and source

    Inbound traffic must be allowed from any IP (0.0.0.0/0) to accept public HTTP requests.

  3. Final Answer:

    Allow inbound TCP traffic on port 80 from 0.0.0.0/0 -> Option C

  4. Quick Check:

    HTTP = TCP port 80 inbound [OK]
Hint: HTTP uses TCP port 80 inbound, not UDP or outbound [OK]
Common Mistakes:
  • Allowing UDP instead of TCP
  • Setting outbound instead of inbound
  • Using wrong port like 22 (SSH)
3. You have a subnet with a NACL that allows inbound traffic on port 443 but denies all outbound traffic. A Security Group attached to an instance in this subnet allows inbound and outbound HTTPS traffic on port 443. What will happen when the instance tries to respond to an HTTPS request?
medium
A. The response will be blocked because the NACL denies outbound traffic.
B. The response will be allowed because Security Groups are stateful.
C. The response will be allowed because NACLs override Security Groups.
D. The response will be blocked because Security Groups deny outbound traffic.

Solution

  1. Step 1: Analyze NACL outbound rules

    The NACL denies all outbound traffic, so no outbound packets can leave the subnet regardless of Security Group settings.

  2. Step 2: Analyze Security Group statefulness

    Security Groups are stateful and allow return traffic, but they cannot override the stateless NACL's explicit deny on outbound traffic.

  3. Final Answer:

    The response will be blocked because the NACL denies outbound traffic. -> Option A

  4. Quick Check:

    NACL deny outbound blocks response despite Security Group [OK]
Hint: NACL deny rules always block, even if Security Group allows [OK]
Common Mistakes:
  • Assuming Security Groups override NACLs
  • Ignoring NACL outbound deny effect
  • Confusing stateful and stateless behavior
4. A developer configures a NACL to allow inbound SSH (port 22) traffic but forgets to add an outbound rule to allow return traffic. The Security Group allows inbound and outbound SSH traffic. What issue will occur when trying to SSH into an instance in this subnet?
medium
A. SSH connection will fail because NACL outbound traffic is blocked.
B. SSH connection will succeed because Security Groups allow traffic.
C. SSH connection will fail because Security Groups block inbound traffic.
D. SSH connection will succeed because NACLs are stateful.

Solution

  1. Step 1: Check NACL outbound rules

    NACLs are stateless, so return traffic must be explicitly allowed. Missing outbound rule blocks return SSH packets.

  2. Step 2: Check Security Group rules

    Security Groups allow inbound and outbound SSH, but cannot override NACL blocking outbound return traffic.

  3. Final Answer:

    SSH connection will fail because NACL outbound traffic is blocked. -> Option A

  4. Quick Check:

    NACL stateless requires outbound allow for return traffic [OK]
Hint: NACLs need both inbound and outbound rules for two-way traffic [OK]
Common Mistakes:
  • Assuming Security Groups fix NACL outbound block
  • Forgetting NACLs are stateless
  • Thinking inbound allow is enough
5. You want to secure a multi-tier web application in AWS. The web servers are in a public subnet, and the database servers are in a private subnet. Which combination of Security Groups and NACLs is the best practice to control traffic securely?
hard
A. Use NACLs to allow web traffic to web servers and database traffic only from web servers; use Security Groups to block all traffic.
B. Use NACLs to allow all traffic between web and database subnets; use Security Groups to block all traffic.
C. Use Security Groups to allow all traffic between subnets; use NACLs to allow all inbound and outbound traffic.
D. Use Security Groups to allow web traffic to web servers and database traffic only from web servers; use NACLs to block all inbound traffic except HTTP/HTTPS on the public subnet.

Solution

  1. Step 1: Use Security Groups for instance-level control

    Security Groups should allow web servers to receive HTTP/HTTPS and allow database servers to accept traffic only from web servers for tight control.

  2. Step 2: Use NACLs for subnet-level filtering

    NACLs should block unwanted inbound traffic on the public subnet except HTTP/HTTPS to reduce exposure at the subnet level.

  3. Final Answer:

    Use Security Groups to allow web traffic to web servers and database traffic only from web servers; use NACLs to block all inbound traffic except HTTP/HTTPS on the public subnet. -> Option D

  4. Quick Check:

    Security Groups for instances, NACLs for subnet filtering [OK]
Hint: Security Groups for instances, NACLs for subnet-wide rules [OK]
Common Mistakes:
  • Using NACLs to allow all traffic defeats subnet security
  • Blocking all traffic with Security Groups breaks communication
  • Confusing roles of Security Groups and NACLs